You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Microsoft Sentinel's [Microsoft 365 Defender](/microsoft-365/security/mtp/microsoft-threat-protection) connector with incident integration allows you to stream all Microsoft 365 Defender incidents and alerts into Microsoft Sentinel, and keeps the incidents synchronized between both portals. Microsoft 365 Defender incidents include all their alerts, entities, and other relevant information, and they group together, and are enriched by, alerts from Microsoft 365 Defender's component services **Microsoft Defender for Endpoint**, **Microsoft Defender for Identity**, **Microsoft Defender for Office 365**, and **Microsoft Defender for Cloud Apps**, as well as alerts from other services such as **Microsoft Purview Data Loss Prevention (DLP)**.
14
16
15
17
The connector also lets you stream **advanced hunting** events from *all* of the above components into Microsoft Sentinel, allowing you to copy those Defender components' advanced hunting queries into Microsoft Sentinel, enrich Sentinel alerts with the Defender components' raw event data to provide additional insights, and store the logs with increased retention in Log Analytics.
@@ -28,22 +30,57 @@ For more information about incident integration and advanced hunting event colle
28
30
29
31
- Your user must have read and write permissions on your Microsoft Sentinel workspace.
30
32
33
+
### Prerequisites for Active Directory sync via MDI
34
+
35
+
- Your tenant must be onboarded to Microsoft Defender for Identity.
36
+
37
+
- You must have the MDI sensor installed.
38
+
31
39
## Connect to Microsoft 365 Defender
32
40
33
-
1.In Microsoft Sentinel, select **Data connectors**, select **Microsoft 365 Defender (Preview)** from the gallery and select **Open connector page**.
41
+
In Microsoft Sentinel, select **Data connectors**, select **Microsoft 365 Defender (Preview)** from the gallery and select **Open connector page**.
34
42
35
-
1. Under**Configuration**in the **Connect incidents & alerts**section, select the **Connect incidents & alerts** button.
43
+
The **Configuration** section has three parts:
36
44
37
-
1.To avoid duplication of incidents, it is recommended to mark the check box labeled **Turn off all Microsoft incident creation rules for these products.**
45
+
1.[**Connect incidents and alerts**](#connect-incidents-and-alerts) enables the basic integration between Microsoft 365 Defender and Microsoft Sentinel, synchronizing incidents and their alerts between the two platforms.
38
46
39
-
> [!NOTE]
40
-
> When you enable the Microsoft 365 Defender connector, all of the Microsoft 365 Defender components’ connectors (the ones mentioned at the beginning of this article) are automatically connected in the background. In order to disconnect one of the components’ connectors, you must first disconnect the Microsoft 365 Defender connector.
47
+
1.[**Connect entities**](#connect-entities) enables the integration of on-premises Active Directory user identities into Microsoft Sentinel through Microsoft Defender for Identity.
41
48
42
-
1. To query Microsoft 365 Defender incident data, use the following statement in the query window:
43
-
```kusto
44
-
SecurityIncident
45
-
| where ProviderName == "Microsoft 365 Defender"
46
-
```
49
+
1.[**Connect events**](#connect-events) enables the collection of raw advanced hunting events from Defender components.
50
+
51
+
These are explained in greater detail below. See [Microsoft 365 Defender integration with Microsoft Sentinel](microsoft-365-defender-sentinel-integration.md) for more information.
52
+
53
+
### Connect incidents and alerts
54
+
55
+
Select the **Connect incidents & alerts** button to connect Microsoft 365 Defender incidents to your Microsoft Sentinel incidents queue.
56
+
57
+
If you see a check box labeled **Turn off all Microsoft incident creation rules for these products. Recommended**, mark it to avoid duplication of incidents.
58
+
59
+
> [!NOTE]
60
+
> When you enable the Microsoft 365 Defender connector, all of the Microsoft 365 Defender components’ connectors (the ones mentioned at the beginning of this article) are automatically connected in the background. In order to disconnect one of the components’ connectors, you must first disconnect the Microsoft 365 Defender connector.
61
+
62
+
To query Microsoft 365 Defender incident data, use the following statement in the query window:
63
+
64
+
```kusto
65
+
SecurityIncident
66
+
| where ProviderName == "Microsoft 365 Defender"
67
+
```
68
+
69
+
### Connect entities
70
+
71
+
Use Microsoft Defender for Identity to sync user entities from your on-premises Active Directory to Microsoft Sentinel.
72
+
73
+
Verify that you've satisfied the [prerequisites](#prerequisites-for-active-directory-sync-via-mdi) for syncing on-premises Active Directory users through Microsoft Defender for Identity (MDI).
74
+
75
+
1. Select the **Go the UEBA configuration page** link.
76
+
77
+
1. In the **Entity behavior configuration** page, if you haven't yet enabled UEBA, then at the top of the page, move the toggle to **On**.
78
+
79
+
1. Mark the **Active Directory (Preview)** check box and select **Apply**.
80
+
81
+
:::image type="content" source="media/connect-microsoft-365-defender/ueba-configuration-page.png" alt-text="Screenshot of UEBA configuration page for connecting user entities to Sentinel.":::
82
+
83
+
### Connect events
47
84
48
85
1. If you want to collect advanced hunting events from Microsoft Defender for Endpoint or Microsoft Defender for Office 365, the following types of events can be collected from their corresponding advanced hunting tables.
@@ -38,13 +32,25 @@ To enable or disable this feature (these prerequisites are not required to use t
38
32
39
33
## How to enable User and Entity Behavior Analytics
40
34
41
-
1. From the Microsoft Sentinel navigation menu, select **Entity behavior**.
35
+
1. Go to the **Entity behavior configuration** page. There are three ways to get to this page:
36
+
37
+
- Select **Entity behavior** from the Microsoft Sentinel navigation menu, then select **Entity behavior settings** from the top menu bar.
38
+
39
+
- Select **Settings** from the Microsoft Sentinel navigation menu, select the **Settings** tab, then under the **Entity behavior analytics** expander, select **Set UEBA**.
42
40
43
-
1. From the top menu bar, select **Entity behavior settings**.
44
-
If you haven't yet enabled UEBA, you will be taken to the **Settings** page. Select **Configure UEBA**.
41
+
- From the Microsoft 365 Defender data connector page, select the **Go the UEBA configuration page** link.
45
42
46
43
1. On the **Entity behavior configuration** page, switch the toggle to **On**.
47
44
45
+
:::image type="content" source="media/enable-entity-behavior-analytics/ueba-configuration.png" alt-text="Screenshot of UEBA configuration settings.":::
46
+
47
+
1. Mark the check boxes next to the Active Directory source types from which you want to synchronize user entities with Microsoft Sentinel.
48
+
49
+
-**Active Directory** on-premises (Preview)
50
+
-**Azure Active Directory**
51
+
52
+
To sync user entities from on-premises Active Directory, your Azure tenant must be onboarded to Microsoft Defender for Identity (either standalone or as part of Microsoft 365 Defender) and you must have the MDI sensor installed on your Active Directory domain controller. See [Microsoft Defender for Identity prerequisites](/defender-for-identity/prerequisites) for more information.
53
+
48
54
1. Mark the check boxes next to the data sources on which you want to enable UEBA.
49
55
50
56
> [!NOTE]
@@ -53,7 +59,7 @@ If you haven't yet enabled UEBA, you will be taken to the **Settings** page. Sel
53
59
>
54
60
> Once you have enabled UEBA, you will have the option, when connecting new data sources, to enable them for UEBA directly from the data connector pane if they are UEBA-capable.
55
61
56
-
1. Select **Apply**. You will be returned to the **Entity behavior** page.
62
+
1. Select **Apply**. If you accessed this page through the **Entity behavior** page, you will be returned there.
Copy file name to clipboardExpand all lines: articles/sentinel/identify-threats-with-entity-behavior-analytics.md
+5-5Lines changed: 5 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -10,12 +10,8 @@ ms.custom: ignite-fall-2021
10
10
11
11
# Identify advanced threats with User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel
12
12
13
-
[!INCLUDE [Banner for top of topics](./includes/banner.md)]
14
-
15
13
> [!IMPORTANT]
16
14
>
17
-
> - The UEBA and Entity Pages features are now in **General Availability** in ***all*** Microsoft Sentinel geographies and regions.
18
-
>
19
15
> - The **IP address entity** is currently in **PREVIEW**. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
The user entity information that Microsoft Sentinel uses to build its user profiles comes from your Azure Active Directory (and/or your on-premises Active Directory, now in Preview). When you enable UEBA, it synchronizes your Azure Active Directory with Microsoft Sentinel, storing the information in an internal database visible through the *IdentityInfo* table in Log Analytics.
51
+
52
+
Now in preview, you can also sync your on-premises Active Directory user entity information as well, using Microsoft Defender for Identity.
53
+
54
+
See [Enable User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel](enable-entity-behavior-analytics.md) to learn how to enable UEBA and synchronize user identities.
0 commit comments